ClawHub

China National Pension Calculation

Security checks across malware telemetry and agentic risk

Overview

This pension calculator is not clearly malicious, but it exposes sensitive retirement and financial data through an under-protected local web server.

Install only if you are comfortable with a local server storing and serving your pension inputs while it is running. Avoid using it on shared devices or networks, do not paste full financial details into an AI chat unless you intend to share them, and clear/delete generated JSON files and local saved data after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The page sends detailed pension and financial profile data to /api/save-data and explicitly labels that save path as '供LLM读取', which expands the skill from local calculation into backend collection and AI-facing disclosure of sensitive personal financial data. In a pension calculator context, users are likely to enter highly sensitive retirement, savings, and income information, so silent server transmission materially increases privacy and data-handling risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The fallback flow actively instructs users to copy pension data into an AI conversation to obtain a report, introducing an undisclosed advisory and data-sharing workflow beyond normal calculator behavior. This creates a strong risk of oversharing sensitive financial information into another system without meaningful privacy notice, consent granularity, or minimization.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The server enables a local HTTP API with `Access-Control-Allow-Origin: *`, allowing any website opened in the user's browser to issue cross-origin requests to this localhost service. Because the API can read and write pension data and report status without authentication, a malicious site could tamper with or exfiltrate sensitive financial information once the web UI is started.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The static file handler joins `req.url` directly with `__dirname` and serves any existing file under that path, which turns the skill into a general local file host rather than a narrowly scoped pension UI. Even if `path.join` keeps requests rooted under the skill directory in many cases, exposing arbitrary files in the package can leak source, configuration, embedded secrets, or internal data files to any party that can reach the local server.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server enables `Access-Control-Allow-Origin: *` and permits `GET, POST, OPTIONS` on endpoints that read and write local pension data. Any website visited by the local user could issue cross-origin requests to this localhost service and exfiltrate or overwrite sensitive financial/personal data, which is broader and riskier than a simple calculator requires.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The static file handler maps arbitrary request paths under `__dirname` and serves any existing file, making the process a generic local file server rather than a narrowly scoped pension UI. Even if path traversal is partially constrained by `path.join`, exposing all files in the skill directory can leak source, configuration, or stored JSON files that are not necessary for end-user operation.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger phrase '帮我计算养老金' and similar wording is broad enough that ordinary conversation can cause the agent to immediately invoke start_web_ui. In context, that can unexpectedly launch a local service and begin a workflow involving sensitive financial data collection without clear confirmation, which is an unsafe action boundary for a finance-related skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs users to save detailed retirement and financial information to local files, and elsewhere mentions localStorage persistence, but does not provide an explicit privacy warning, retention notice, or guidance about who can access the stored data. In a pension/finance context, these records contain sensitive personal financial data, so silent persistence increases the risk of unintended disclosure on shared or monitored systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Sensitive pension data is uploaded to the server via fetch('/api/save-data') with no user-facing notice at the point of collection explaining that clicking save transmits personal financial data off-device. In this skill, the collected data includes retirement age, balances, contributions, and salary-related values, making the lack of transparent upload notice a significant privacy/security issue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The copy dialog encourages users to paste personal pension data into an AI chat but provides no clear privacy warning that the pasted content may be retained, processed, or exposed outside the calculator. Because this is retirement and savings data, the context makes accidental disclosure especially sensitive and potentially harmful.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The save workflow automatically exports a JSON file containing pension data without clearly warning the user that a local file with sensitive financial information will be created on their device. Such files can persist in downloads folders, backups, or shared machines, increasing unintended disclosure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `/api/save-data` endpoint stores user pension inputs to `user-data.json` on disk, but the user-facing flow shown in the tool responses does not clearly disclose that this sensitive retirement and financial data will be persisted locally. Silent persistence increases privacy risk, especially on shared systems or environments where other processes/users can access the skill directory.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When `generate_report` receives a `data` object directly, it silently writes that supplied data to disk and marks status as completed. Users or calling agents may reasonably expect direct input to be transient, so this behavior can unexpectedly retain sensitive financial and age-related information beyond the immediate calculation request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `/api/save-data` endpoint accepts arbitrary JSON and writes it directly to disk without authentication, integrity checks, schema validation, or any user consent flow. In the context of an open localhost web server with permissive CORS, this allows silent persistence of attacker-controlled content and tampering with pension input data or status information.

Ssd 3

Medium
Confidence
95% confidence
Finding
The UI explicitly directs users to copy pension data and paste it into an AI chat, normalizing exfiltration of highly sensitive financial information outside the calculator's boundary. In a pension-planning skill, this is particularly risky because the data can reveal income level, savings, retirement timeline, and other personal financial traits useful for profiling or fraud.

Ssd 3

Medium
Confidence
92% confidence
Finding
The success message tells users to return to the conversation so AI can generate a report from saved personal data, reinforcing a hidden cross-system data flow and encouraging reliance on AI processing of sensitive financial records. This is dangerous because it conditions users to share or authorize analysis of private pension data without a clear privacy boundary or stated necessity in the skill description.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "纲目财学",
  "license": "MIT",
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0"
  },
  "engines": {
    "node": ">=18.0.0"
Confidence
92% confidence
Finding
"@modelcontextprotocol/sdk": "^1.0.0"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.0.0 — 2 advisory(ies): CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
98% confidence
Finding
@modelcontextprotocol/sdk==1.0.0

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal